[gentoo-user] How to update public keys?

[gentoo-user] How to update public keys?

[Grant Edwards]

As of today, I seem to be unable to a an "emerge --sync".

The process either hangs forever at the "Refreshing keys from keyserver step:

    # emerge --sync
    >>> Syncing repository 'gentoo' into '/usr/portage'...
     * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
     * Refreshing keys from keyserver ... 

Or, it fails because there are no public key to verify a manfest:

    # emerge --sync
    >>> Syncing repository 'gentoo' into '/usr/portage'...
     * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
     * Refreshing keys from keyserver ...                                                 [ ok ]
    >>> Starting rsync with rsync://156.56.247.193/gentoo-portage...
[...]
    receiving incremental file list
    timestamp.chk
    
    Number of files: 1 (reg: 1)
[...]
    sent 109 bytes  received 1.15K bytes  838.00 bytes/sec
    total size is 32  speedup is 0.03
    ---------------------------------------------------------
[...]
    receiving incremental file list
    metadata/timestamp.chk
    
    Number of files: 161,932 (reg: 134,486, dir: 27,446)
[...]
    sent 27.56K bytes  received 4.04M bytes  626.31K bytes/sec
    total size is 218.65M  speedup is 53.71
    !!! Manifest verification failed:
    OpenPGP verification failed:
    gpg: Signature made Thu 05 Jul 2018 06:38:32 PM UTC
    gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
    gpg: Can't check signature: No public key
    
    q: Updating ebuild cache in /usr/portage ... 
    q: Finished 35635 entries in 0.141629 seconds
    
     * IMPORTANT: config file '/etc/ssh/sshd_config' needs updating.
     * See the CONFIGURATION FILES and CONFIGURATION FILES UPDATE TOOLS
     * sections of the emerge man page to learn how to update config files.
    
    Action: sync for repo: gentoo, returned code = 1
    
I've found all sorts of recipes to try to fix this for webrsync users
but I use plain-old "emerge --sync".

I also found a recipe that appears to recommend you completely wipe
portage and reinstall it from scratch using a snapshot.    Is that
seriously what we're supposed to do?

-- 
Grant

Re: [gentoo-user] How to update public keys?

[Jalus Bilieyich]

You just need to use Gentoo's built-in script from gentoolkit.

Just run:

# etc-update

And overwrite the current config file you have (trust me, it's safe).

On 7/5/18, Grant Edwards <grant.b.edwards@gmail.com> wrote:
> As of today, I seem to be unable to a an "emerge --sync".
>
> The process either hangs forever at the "Refreshing keys from keyserver
> step:
>
>     # emerge --sync
>     >>> Syncing repository 'gentoo' into '/usr/portage'...
>      * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
>      * Refreshing keys from keyserver ...
>
> Or, it fails because there are no public key to verify a manfest:
>
>     # emerge --sync
>     >>> Syncing repository 'gentoo' into '/usr/portage'...
>      * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
>      * Refreshing keys from keyserver ...
>              [ ok ]
>     >>> Starting rsync with rsync://156.56.247.193/gentoo-portage...
> [...]
>     receiving incremental file list
>     timestamp.chk
>
>     Number of files: 1 (reg: 1)
> [...]
>     sent 109 bytes  received 1.15K bytes  838.00 bytes/sec
>     total size is 32  speedup is 0.03
>     ---------------------------------------------------------
> [...]
>     receiving incremental file list
>     metadata/timestamp.chk
>
>     Number of files: 161,932 (reg: 134,486, dir: 27,446)
> [...]
>     sent 27.56K bytes  received 4.04M bytes  626.31K bytes/sec
>     total size is 218.65M  speedup is 53.71
>     !!! Manifest verification failed:
>     OpenPGP verification failed:
>     gpg: Signature made Thu 05 Jul 2018 06:38:32 PM UTC
>     gpg:                using RSA key
> E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
>     gpg: Can't check signature: No public key
>
>     q: Updating ebuild cache in /usr/portage ...
>     q: Finished 35635 entries in 0.141629 seconds
>
>      * IMPORTANT: config file '/etc/ssh/sshd_config' needs updating.
>      * See the CONFIGURATION FILES and CONFIGURATION FILES UPDATE TOOLS
>      * sections of the emerge man page to learn how to update config files.
>
>     Action: sync for repo: gentoo, returned code = 1
>
> I've found all sorts of recipes to try to fix this for webrsync users
> but I use plain-old "emerge --sync".
>
> I also found a recipe that appears to recommend you completely wipe
> portage and reinstall it from scratch using a snapshot.    Is that
> seriously what we're supposed to do?
>
> --
> Grant
>
>
>

[gentoo-user] Re: How to update public keys?

[Grant Edwards]

On 2018-07-05, Jalus Bilieyich <countolaf17@gmail.com> wrote:
> You just need to use Gentoo's built-in script from gentoolkit.
>
> Just run:
>
> # etc-update
>
> And overwrite the current config file you have (trust me, it's safe).

No help.  All that did was update the sshd config file by adding the following:

AcceptEnv COLORTERM

-- 
Grant Edwards               grant.b.edwards        Yow! The Korean War must
                                  at               have been fun.
                              gmail.com            

[gentoo-user] Re: How to update public keys?

[Grant Edwards]

On 2018-07-05, Grant Edwards <grant.b.edwards@gmail.com> wrote:
> As of today, I seem to be unable to a an "emerge --sync".
>
> The process either hangs forever at the "Refreshing keys from keyserver step:

[...]

> Or, it fails because there are no public key to verify a manfest:

For now, I've had to set add "sync-rsync-verify-metamanifest = no" to
my repo conf file so that I can actually do updates, but that seems
like a dangerous work-around.

Is access to a keyserver via TCP port 11371 now a requirement for
using portage?

Is there any other way to get keys updated that only requires the
normal https and rsync access?

-- 
Grant Edwards               grant.b.edwards        Yow! If I had a Q-TIP, I
                                  at               could prevent th' collapse
                              gmail.com            of NEGOTIATIONS!!

Re: [gentoo-user] Re: How to update public keys?

[Dale]

Grant Edwards wrote:
> On 2018-07-05, Grant Edwards <grant.b.edwards@gmail.com> wrote:
>> As of today, I seem to be unable to a an "emerge --sync".
>>
>> The process either hangs forever at the "Refreshing keys from keyserver step:
> [...]
>
>> Or, it fails because there are no public key to verify a manfest:
> For now, I've had to set add "sync-rsync-verify-metamanifest = no" to
> my repo conf file so that I can actually do updates, but that seems
> like a dangerous work-around.
>
> Is access to a keyserver via TCP port 11371 now a requirement for
> using portage?
>
> Is there any other way to get keys updated that only requires the
> normal https and rsync access?
>


For those having this problem, may I suggest this.  Look at the USE
flags here for portage.


[ebuild   R    ] sys-apps/portage-2.3.40-r1::gentoo  USE="(ipc)
native-extensions rsync-verify xattr -build -doc -epydoc -gentoo-dev
(-selinux)" PYTHON_TARGETS="python2_7 python3_5 (-pypy) -python3_4
-python3_6"


It seems to me that one could emerge portage with rsync-verify USE flag
disabled.  After that, do one update, hopefully that will update the
keys etc and then emerge portage again with the USE flag enabled. 
Hopefully after that one time workaround, the keys will be updated and
things will work like they should.

It seems to me that a perfect set of problems popped up at a rather bad
time.  It seems some keys expired AND the verify option which requires
those keys was enabled.  Now you have a catch 22 problem since you can't
get the new keys and verify at the same time due to the expired/bad
keys.  Add in the recent git issue and it has folks a little touchy
about working around this problem.   

I suspect one could use some variable on the command line or in
make.conf as a one time workaround as well. 

Would this work for everyone, rsync, websync and git or am I missing
something else?  Could this at least lead to a fix that everyone should
be able to use???

Dale

:-)  :-) 

[gentoo-user] Re: How to update public keys?

[Grant Edwards]

On 2018-07-05, Grant Edwards <grant.b.edwards@gmail.com> wrote:
> On 2018-07-05, Grant Edwards <grant.b.edwards@gmail.com> wrote:
>> As of today, I seem to be unable to a an "emerge --sync".
>>
>> The process either hangs forever at the "Refreshing keys from keyserver step:
>
> [...]
>
>> Or, it fails because there are no public key to verify a manfest:
>
> For now, I've had to set add "sync-rsync-verify-metamanifest = no" to
> my repo conf file so that I can actually do updates, but that seems
> like a dangerous work-around.

After turning off sync-rsync-verify-metamanifest and doing a sync and
update (which included app-crypt/openpgp-keys-gentoo-release-20180703),
I had hoped that I would be able to turn it back on, but now I get this:

    # emerge --sync
    >>> Syncing repository 'gentoo' into '/usr/portage'...
     * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
     * Refreshing keys from keyserver ...OpenPGP keyring refresh failed:
    gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net
    gpg: keyserver refresh failed: General error
    
    OpenPGP keyring refresh failed:
    gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net
    gpg: keyserver refresh failed: General error
    
    OpenPGP keyring refresh failed:
    gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net
    gpg: keyserver refresh failed: General error
    
The last four lines repeat forever with an increasingly longer period.

Firing up wireshark shows that for each of those failures, there's a
TLS 1.2 connection to port 443 at hkps.pool.sks-keyservers.net which
gets set up, negotiated, and then closed.

-- 
Grant Edwards               grant.b.edwards        Yow! Hello...  IRON
                                  at               CURTAIN?  Send over a
                              gmail.com            SAUSAGE PIZZA!  World War
                                                   III?  No thanks!

[gentoo-user] Re: How to update public keys?

[Grant Edwards]

On 2018-07-05, Grant Edwards <grant.b.edwards@gmail.com> wrote:
> On 2018-07-05, Grant Edwards <grant.b.edwards@gmail.com> wrote:
>> On 2018-07-05, Grant Edwards <grant.b.edwards@gmail.com> wrote:
>>> As of today, I seem to be unable to a an "emerge --sync".
>>>
>>> The process either hangs forever at the "Refreshing keys from keyserver step:
>>
>> [...]
>>
>>> Or, it fails because there are no public key to verify a manfest:
>>
>> For now, I've had to set add "sync-rsync-verify-metamanifest = no" to
>> my repo conf file so that I can actually do updates, but that seems
>> like a dangerous work-around.
>
> After turning off sync-rsync-verify-metamanifest and doing a sync and
> update (which included app-crypt/openpgp-keys-gentoo-release-20180703),
> I had hoped that I would be able to turn it back on, but now I get this:
>
>     # emerge --sync
>     >>> Syncing repository 'gentoo' into '/usr/portage'...
>      * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
>      * Refreshing keys from keyserver ...OpenPGP keyring refresh failed:
>     gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net
>     gpg: keyserver refresh failed: General error
>     
>     OpenPGP keyring refresh failed:
>     gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net
>     gpg: keyserver refresh failed: General error
>     
>     OpenPGP keyring refresh failed:
>     gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net
>     gpg: keyserver refresh failed: General error
>     
> The last four lines repeat forever with an increasingly longer period.

I never did figure what was causing the "General error".  After about
an hour of googling and reading descriptions of unrelated problems, it
just started working with no changes to any configuration.  Apparently
a server issue?

-- 
Grant Edwards               grant.b.edwards        Yow! I didn't order any
                                  at               WOO-WOO ... Maybe a YUBBA
                              gmail.com            ... But no WOO-WOO!

Re: [gentoo-user] Re: How to update public keys?

[Mick]

[-- Attachment #1: Type: text/plain, Size: 2093 bytes --]

On Thursday, 5 July 2018 23:05:51 BST Grant Edwards wrote:
> On 2018-07-05, Grant Edwards <grant.b.edwards@gmail.com> wrote:
> > On 2018-07-05, Grant Edwards <grant.b.edwards@gmail.com> wrote:
> >> On 2018-07-05, Grant Edwards <grant.b.edwards@gmail.com> wrote:
> >>> As of today, I seem to be unable to a an "emerge --sync".
> >> 
> >>> The process either hangs forever at the "Refreshing keys from keyserver 
step:
> >> [...]
> >> 
> >>> Or, it fails because there are no public key to verify a manfest:
> >> For now, I've had to set add "sync-rsync-verify-metamanifest = no" to
> >> my repo conf file so that I can actually do updates, but that seems
> >> like a dangerous work-around.
> > 
> > After turning off sync-rsync-verify-metamanifest and doing a sync and
> > update (which included app-crypt/openpgp-keys-gentoo-release-20180703),
> > 
> > I had hoped that I would be able to turn it back on, but now I get this:
> >     # emerge --sync
> >     
> >     >>> Syncing repository 'gentoo' into '/usr/portage'...
> >      
> >      * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
> >     
> >      * Refreshing keys from keyserver ...OpenPGP keyring refresh failed:
> >     gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net
> >     gpg: keyserver refresh failed: General error
> >     
> >     OpenPGP keyring refresh failed:
> >     gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net
> >     gpg: keyserver refresh failed: General error
> >     
> >     OpenPGP keyring refresh failed:
> >     gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net
> >     gpg: keyserver refresh failed: General error
> > 
> > The last four lines repeat forever with an increasingly longer period.
> 
> I never did figure what was causing the "General error".  After about
> an hour of googling and reading descriptions of unrelated problems, it
> just started working with no changes to any configuration.  Apparently
> a server issue?

It could be a congestion issue.  I have noticed the same with different key 
servers at times.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] How to update public keys?

[Marc Joliet]

[-- Attachment #1: Type: text/plain, Size: 637 bytes --]

Am Donnerstag, 5. Juli 2018, 21:22:15 CEST schrieb Grant Edwards:
[SNIP]

For those still having this problem, see https://bugs.gentoo.org/659914#c9.

In my case I just ran my usual "emerge -uDUva @world", which updated to the 
new app-crypt/openpgp-keys-gentoo-release-20180703 despite the sync failure (a 
problem that Rich described several times over the last few days); after all, 
what's one more unverified sync after this long?  Afterwards I synced again to 
verify that the problem was actually gone.

HTH
-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] How to update public keys?

[Marc Joliet]

[-- Attachment #1: Type: text/plain, Size: 1071 bytes --]

Am Donnerstag, 5. Juli 2018, 23:37:53 CEST schrieb Marc Joliet:
> Am Donnerstag, 5. Juli 2018, 21:22:15 CEST schrieb Grant Edwards:
> [SNIP]
> 
> For those still having this problem, see https://bugs.gentoo.org/659914#c9.
> 
> In my case I just ran my usual "emerge -uDUva @world", which updated to the
> new app-crypt/openpgp-keys-gentoo-release-20180703 despite the sync failure
> (a problem that Rich described several times over the last few days); after
> all, what's one more unverified sync after this long?  Afterwards I synced
> again to verify that the problem was actually gone.
> 
> HTH

(Shouldn't have snipped everything, dammit.)

To be specific, I meant this particular problem:

    !!! Manifest verification failed:
    OpenPGP verification failed:
    gpg: Signature made Thu 05 Jul 2018 06:38:32 PM UTC
    gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
    gpg: Can't check signature: No public key

-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]